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Abstract 

There are recent cryptographic protocols that are based on Multiple 
Simultaneous Conjugacy Problems in braid groups. We improve an algo- 
rithm, due to Sang Jin Lee and Eonkyung Lee, to solve these problems, by 
applying a method developed by the author and Nuno Franco, originally 
intended to solve the Conjugacy Search Problem in braid groups. 

1 Introduction 

In |l4| , Sang Jin Lee and Eonkyung Lee give an algorithm to solve the following 
problem, that they call Multiple Simultaneous Conjugacy Problem (MSCP), in 
the braid group i?„: given the r-tuples (ai, . . . , a^) and {x^^aix, . . . , x~^arx) 
in Bn, find the conjugator x. 

This problem has been proposed for cryptographical applications: There is 
a Key Agreement Protocol proposed by Anshell, Anshell and Goldfeld in 
improved by the same authors and Fisher in 0| , which is based on the difficulty 
to solve a MSCP in some groups. Braid groups have been proposed as a good 
choice. There have been different attacks to this cryptosystem, namely length- 
based attacks (Q, 0), linear algebraic ones (Q, [^) and others But 
the algorithm we describe in this paper can be thought of as a direct attack to 
the base problem of the protocol. 

We will assume that the reader is familiar with the basic notions in braid 
theory, which can be found in or . It is also desirable to know the work 
in 0, § and @. 

Recall that, given a braid a G Bn, the integer inf(a) is the biggest k € Z 
such that a = A'^p, where A is the usual Garside element (half twist of all the 
strands) and p is a positive braid (all its crossings are positive) . 

The algorithm in jl^ works as follows: First they define, for every r- 
tuple of braids, a = (ai,...,a,.) G {BnY, the set C""^(q;) consisting of all 
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(3 = {bi,...,br) £ [BnY such that mf(&i) > inf(ai) for all i and there ex- 
ists some Lo G Bn satisfying bi = ui^^aiui for all i simultaneously (that is, 
P — uj^^auj). Then they prove the following result: 

Theorem 1.1. Let a — (oi, . . . , a^) and (3 — . . . , br) be an instance 
of a MSCP in Bn, and x a positive solution. Then one can compute a positive 
braid xq and a r-tuple f]' = {b[, . . . , b'^) G C™^{a) such that b[ = xobiXQ^ for all 
i, in time proportional to 

n(logn)|x| |^|a;|+^(|a.| + |6,|)^ , 

where \ ■ \ denotes word length in generators. Moreover x = xiXq for some 
positive braid Xi . 

Here C""^(a) plays the role of the Summit Set defined in to solve the 
conjugacy problem in _B„, in the sense that it satisfies the following result: 

Theorem 1.2. Given (3 £ C""^(q;), there exists a chain of elements a = 

ai,a2, ■ . ■ ,Oik+i — 13 in C™^{a), where successive elements are simultaneously 
conjugated by a permutation braid. In other words, there exist permutation 
braids Si, . . . , Sk such that sJ^ajSj = ctj+i for every j = 1, . . . ,k. 

Therefore, by classical methods (see @), one can use these two results to 
solve any MSCP in finite time. Nevertheless, this classical approach gives a 
computational complexity which is exponential with respect to the braid index 
n, and involves the cardinality N of the set C™^(a). 

S. J. Lee and E. Lee expect in jl4j that one can apply the methods in 
to this algorithm, so that the computational complexity becomes a polynomial 
in (n, r, ^, N), where / is the maximal word-length of the a^'s and 6i's. Here we 
show that this is the case. More precisely, we show: 

Theorem 1.3. Let a = (ai, . . . , a^) G {BnY /3 = {h, ■ ■ ■ , b,.) £ C™^{a). 

Let I be the maximal word length of the Oi 's and bi 's, and let N be the number of 
elements in C™^{a). Then one can compute a braid x £ Bn such that x^^ax = f3 
in time 0{NrPn^). 

2 Minimal simple elements for MSCP 

Let us consider the Artin monoid of positive braids^ B^ . We can define a prefix 
order on its elements, -<, as follows: for a,b £ _B+, a -< 6 if and only if there 
exists c £ B^ such that ac = b. We will say that a is a prefix (or a divisor) 
of b, or that b is divisible by a. This is a partial order on B^ , with some nice 
properties: For every u,v £ B^ there exists their least common multiple, uV v, 
and their greatest common divisor, uAv. There also exists an element A (which 
is represented by a half twist of all the strands) which, together with the above 
partial order, endows Bn with a structure of Garside monoid, so Bn is a Garside 
group (cf. § |). 
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The permutation braids, also called simple elements, are the prefixes (or 
divisors) of A. We denote by S the set of simple elements. In there are n! 
simple elements. 

The algorithm used in |TJ] to solve a MSCP goes as follows: given a, (3 £ 
{BnY conjugated, one computes /3' € C™^{a) as in Theorem Then one 
must construct the whole C™^(a) using the method by Garside: Conjugate a 
by all simple elements. If new elements in C""^(a) are obtained, conjugate each 
one of them by all simple elements. Continue until no new elements appear. 



At that point, by Theorem 1.2, we will have computed the whole C""^(a) and 



moreover, we will know a chain going from a to any other element in C""^(a), 



as in Theorem 1.2. Hence, the chain associated to /3', together with the element 
a^o in Theorem 1.1 will give us the solution to the MSCP. 

One of the main problems of this algorithm is the size of S. For every element 
in C""^(q:) one must compute n! conjugations! The idea in is to consider 
very small subsets of S, which can be fastly computed, satisfying some suitable 
properties that allow the classical algorithm to work with them, instead of the 
whole S. The general method to compute these small subsets is the following. 

Let be a property for simple elements, and let Sv be the set of simple 
elements satisfying V . Then min(iS'-p) is defined as the set of minimal elements 
(with respect to ^) in S-p. We must then define some suitable properties. 

Let J — (ji, . . . ,jr) e '^^ and let Cj be the set of r-tuples i5 = (c?i, . . . , d,.) G 
{BnY such that mi{di) > ji for all i. 

Definition 2.1. Let J (ji, ...,>) G Z'^ and let 5 = {di, ...,dr) G Cj. We 
say that a simple element s satisfies the property V{5,J) if s~^5s G C,j. In 
other words, if \ni{s~^dis) > ji for all i. 

Now consider the subsets Ss,,j — inin{S-p(^s,j)) C S, where S G Cj. These 
are the small subsets of S we were talking about. We can use them to solve a 
MSCP by means of the following result: 

Proposition 2.2. Given a — {ai,...,ar) G {BnY, J = 

(inf (ai), . . . , inf (a^)) G Z^. For every (3 G C""^(a), there exists a chain 
a — ai, Q!2, . . . , ak+i = (3 in C""*(a), where for j — 1, . . . ,k, aj is conju- 
gated to ctj+i by a simple element Sj G Sa^^j- That is, sJ^ajSj = cxj+i and Sj 
is minimal among the simple elements conjugating aj to an element in Cj. 

Proof. This result is analogous to Proposition 4.10 in S. It suffices to take the 



chain given in Theorem 1.2 and decompose every simple element into minimal 
ones. We notice that we obtain a chain of elements in Cj, but since all these 
elements are conjugated to a, they all belong to C""^(a). □ 



3 Size of ^5,3 

In this section we will show that the cardinal of Ss^j, for every J G Z'' and every 
6 G Cj, is always smaller that n. Hence, if we know how to compute it fastly, 
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we will improve considerably the speed of the algorithm by Lee and Lee (recall 
that #(5) = nl). We will need the following results: 

Proposition 3.1. Q // a property V is closed under gcd (i.e., if Si,S2 € S-p 
implies si A S2 G S-p ) then #(min(S'-p)) < n — 1. q 

Proposition 3.2. For every J G 7/' and every S G Cj, the property V{S, J) is 
closed under gcd. 

Proof. Suppose that si,S2 G S-p(^s,j)i that is, for every i — l,...,r, 
mi{si^diSi) > ji and inf (s^^c?iS2) > ji- Since S G Cj one has di = A^'pi 
for some positive braid pi. Then 

s^^diSi = s^'^A^'piSi = A-''r-''(sj"^)piSi, 

where t is the inner automorphism of _B„ which consists on conjugation by A. 
Hence, inf{s^^diSi) > ji means that t^' {s^^)piSi is positive, or in other words: 
T-''(si) -< PiSi. In the same way one has t^^{s2) -< PiS2 for all i. We must 
therefore show that, for i = I, . . . ,r, one has r-'' (s) ^ piS, where s — Si A 32- 

Since t is a homomorphism that preserves the prefix order, then t^'(si) A 
T^'{s2) = T-''(si A S2) = T^'{s). This implies r-''(s) -< piSi and t^*(s) -< piS2, 
hence t^' (s) -< {piSi) A {piS2) = Pi{si A S2) — PiS, as we wanted to show. □ 

Corollary 3.3. For every J ^ U and every S G Cj, the set Sp^j = 
min(S'-p(^_j)) has at most n — 1 elements. q 



4 How to compute j 

We will finally present an algorithm that computes Ss^j, given J S Z*" and 
6 G Cj. This algorithm will have complexity 0{rPn^). Hence, in the algorithm 
by Lee and Lee, we no longer need to conjugate every S G C""^(a) by all simple 
elements (n! conjugations); we can compute Ss,j and then we do no more than 
n — 1 conjugations. 

We first need to be more precise about the work in H . Wc saw in Proposi- 



tion 3.1 that min(5'-p) has at most n — 1 elements; but be can actually say more: 
for every generator ai, there is exactly one element G min(S'-p) such that 
(Ti -< r^. It can happen, however, that = rj for some i ^ j. Anyway, in order 
to compute min(S'-jD) (in our particular case Sg.j), we just need to compute 
for i — 1, . . . ,n — 1. 

It is also given in |^ a method to compute the least common multiple s\/ p 
of a simple element s and a positive braid p. More precisely, the algorithm 
given in computes a simple element s' such that ps' — s\/ p. This takes time 
0(Pn log n), where I is the word length of p, and n is the number of strands. 
Notice that, in terms of theoretical complexity, this algorithm is equivalent to 
the computation a normal form (cf. Furthermore, it is also shown in 

that if p is given in left normal form, then the complexity becomes 0{ln\ogn). 
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So let us suppose that we arc given J = (ji,...,jV) G Z*" and 5 = 
{d\, . . . , dr) £ Cj, and we want to compute Ss,j- As we said before, we just need 
to compute for every i = l,...,n — 1, where, in this case, rj is the minimal 
simple clement which is divisible by cTj and conjugates i5 to an element in Cj. 
We propose the following algorithm: 

Algorithm to compute ri. 

1. Let D c {1, . . . , r} consisting of those t such that inf(dt) = jt- 

2. For every t G D, compute pt such that dt = A^^pt- 

3. Let s = (Ji. 

4. If T-'* (s) -< pts for every t £ D, then return s. Stop. 

5. Take m G D such that r-'"' (s) 7^ PmS. 

6. Compute s' such that {pms)s' = t^'"{s) \/ PmS. 

7. Let s = ss' and go to step 4. 

Proposition 4.1. Given J = {ji,...,jr) G Z*", (5 = (cii,...,^^) G Cj and 
iG{l,...,n— 1}, the above algorithm computes ri, the minimal simple element 
which is divisible by and conjugates 6 to an element in Cj. 

Proof. The algorithm starts by considering just those dt whose infimum is ex- 
actly jt- This is due to the following fact: If we can write dt = A^pt where 
k > jt and pt is a positive braid, then for every simple element s we will have: 

s-irfjs = s-^A^s = A''T^{s-^)ptS = /S!'-\/\T^{s-^))ptS. 

But T^{s) is a simple element, so At'^(s~^) is a positive braid, hence the infimum 
of s~^dts is at least fc — 1 > jf Therefore, we just need to care about those dt 
where t £ D. 

For every t G D one has dt = A.^*Pt, where pt is a positive braid. These 
elements pt are computed in Step 2 just by computing the left normal form of 
dt. 

We want to find rj, and we know that di ^ ri. In the algorithm, the simple 
element s will be the possible value of rj. At every iteration of the loop in steps 

4-7, we start with a simple element s such that (t^ -< s -< r^, and we check if 
s = ri. If it is not, we multiply s by some suitable simple element s', and we 
start again. We must show that this makes sense. 

At Step 3 we set s = ai, so we are sure that Ui ^ s ^ ri. Then we start 
the loop. In order to decide if ,s = r,(, we must check if mi{s~^dts) > jt for all 
t G D. But, in the same way as above, one has s~^dtS = A^*t^* {s~^)ptS, so 
'mi{s^^dts) > jt if and only if r-?* (s^^)pts is a positive braid, or in other words, 
if T^* (s) ^ ptS. This is what is checked at Step 4. 

If Step 4 determined that s ^rt,we must have found some m £ D such that 
T^"* (s) 7^ PmS- Step 5 just takes one of these values. 
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Now it comes the main step: We know that s ^ Vi, so Vi = ss" for some 
simple element s. Moreover, mf{r~^dm'''i) > jt so one has T^'"{ri) ^ Pmri- 
Hence, r-'"'(s) ~< t^"' {s)t^'^ (s) = T^'^{ri) ~< Pmfi while on the other hand 
PmS -< PmSS = Pmfi- Therefore, the least common multiple t-''"(s) W PmS must 
also divide Pmri- Step 6 computes this 1cm. Actually, it computes s' such that 
T^'"(s) W PmS — {pms)s'. But sincc this divides Pmfi, we finally obtain that 

SS' -< Ti. 

We must remark two facts: First, ss' is always a simple element, since it 
divides the simple element r^. Second, s' cannot be trivial, since otherwise 
we would have t^^[s) W PmS — PmS, implying t^^-^s) -< PmS, which gives a 
contradiction with the choice of to. Therefore, ss' is strictly greater than s, but 
still a divisor of r^, so in Step 7 we set s — ss' , and start the loop again. This 
cannot run forever since the word length of s is increased at every iteration, so 
the maximal number of iterations is (the word length of A). 

Therefore, at a certain iteration, we will obtain s = r^, and the algorithm 
stops at Step 4 giving the correct output. □ 

5 Theoretical complexity 

The algorithm we presented in this paper is exactly as the one in 10 except 
for the computations of Ssj, for every 5 G C™^(a). The main step is the 
computation of given by the algorithm in the previous section. So we start 
by studying the complexity of this computation: 

Proposition 5.1. Given J — {ji,...,jr) £ 'ZT , 6 = (di, . . . , d,.) € Cj and 
i G {1, . . . ,n — 1}, one can compute Ti (the minimal simple element which is 
divisible by Ui and conjugates 5 to an element in Cj) in time 0(rPn^) where I 
is the maximal word-length of the di 's. 

Proof. We need to study the complexity of the algorithm in the previous section. 
First, Step 1 can be performed by computing the left normal form of every dt- 
Every normal form takes time 0(/^nlogn), so Step one can be done in time 
Oirl'^nlogn). 

The requirements of Step 2 can be achieved while doing Step 1: if some dt 
has infimum jj, we keep the value of pt- Hence Step 2 is negligible, as well as 
Step 3. 

Now we start a loop in Steps 4-7, which has at most ^'^^'^^^^ iterations, as we 
saw above. The only non-negligible steps are Steps 4 and 6. In Step 4, for every 
t £ D we must compute t-'*(s), which can be done in linear time on the word 
size of s (at most "("^~^) )^ ^nd then we must compute the left normal form of 
Pts taking time 0{ln\ogn) (notice that pt is already in left normal form). After 
performing these computations, to check if t-'*(s) -< pts is 0{n\ogn) (cf fl^). 
Hence Step 4 takes time 0{rln^). On the other hand. Step 6 can be done in 
time 0{ln\ogn) by Therefore, each iteration of the loop takes time 0{rln^). 

Now we could say that, since there are at most iterations, all of 

them can be computed in time 0{rln'^). But we can do better than that: The 
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different values of s in the successive iterations form an ascending chain of 
simple elements. Hence, the total number of computations performed in all the 
iterations is the same as if it were just one iteration, with the maximum value 
of s (see [0). Therefore, the whole loop can be done in time 0{rln?), and the 
whole algorithm takes time 0{rPn^). □ 

We can now apply this result to measure our contribution to the algorithm 

in 

Proof of Theorem [771. One just need to apply the classical algorithm by Garside, 



together with the results given in Proposition and Corollary |3.3| . To be more 
precise, let J = (inf(ai), . . . , inf(ar)) G 'ZT- For every element 5 € C"^^(a) (there 
are N elements) one must compute Ss.j- This takes time 0{rPn^) for every 
element, by the above result. Since there are at most n — 1 elements, it takes 
time Ofjt^n^). Then one must conjugate 5 by all the elements in Ss,j (at most 
n — 1), so we do at most n — 1 conjugations by simple elements, each one taking 
time 0{ln\ogn) since 5 is already in left normal form. 

The algorithm stops when we find (3. So, in the worst case, the complexity 
of the whole computation is 0{NrPn^), as we wanted to show. q 



6 Final remarks 

In this paper we have improved the algorithm in to solve a MSCP. More 
precisely, we have improved a particular case of a MSCP, when the conjugate 
elements a and (3 are such that (3 G C"^(a). 

It is shown in |14| h ow to transform the general situation into this particular 
case (see Theorem |l.l| ) , but the complexity of this step depends on the size of 
the solution! Therefore, using this method we do not have an upper bound for 
the complexity of the general case, in terms of the input data. Nevertheless, 
if our interest is to attack the cryptosystem in 0, where the secret key is the 



solution to the MSCP, then the complexity given in Theorem 1.1, to transform 
the general case into this particular case, yields a very efficient running time. 

Nevertheless, if one dislikes to measure the complexity in terms of the length 
of the solution, one can do the following: given two conjugate elements a = 
(ai,...,ar) and (3 = (5i,...,6r) in {BnY , let J = (ji,...,jV) G where 
ji — min(inf (oi), inf (6i)). Then one has a,/? G Cj. Now define C™^[a,f3) as 
the set of (5 G Cj conjugate to a (thus to (3). Then all the above results can be 



applied to C"f(a,^), so we do not need to pass through Theorem That is, 
we have: 

Theorem 6.1. Let a = (ai, . . . , a^) and (3 = (&i, . . . , 6^) in {BnY . ^ 
maximal word length of the ai 's and bi 's, and let M he the number of elements 
in C""^(a,/3). Then one can compute a braid x G Bn such that x~^ax = f3 in 
time 0{MrPn^). 

Anyway, we do not think that this is the better way to proceed, since 
C""^(a,/?) will be, in general, much bigger than C""^(a), so one should try first 
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to raise the infimum of the entries of a and (3, before starting to construct the 
whole C'"f(a,/3). 

On the other hand, the complexity given in Theorems |1.3| and 6.1 may lead 
to confusion, since one may think that we solved the MSCP in polynomial time. 
This is not true, since the factors N and M (the size of C™^(a) and C""^(a, /3)) 
may not be a polynomial in (n, r, I) (there is no known bounds for N or M in 
terms of {n,l,r)). All we can say by now is that and M get smaller as r 
grows, so it seems that MSCP's are simpler than usual conjugacy problems in 
braid groups (see the discussion in about the size of N) . 

Finally, the algorithm in this paper works not only for braid groups, but for 
a larger class of groups, called Gar side groups (see and [||), that share 

with braid groups the existence of simple elements and their basic properties. 
It can also be applied to other Garside structures in braid groups, as the one 
obtained from the presentation by Birman, Ko and Lee in W. 
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